Malicious PDF — malware analysis report

Static analysis result for SHA-256 83d7ccb94a3e75a8…

MALICIOUS

PDF

51.1 KB Created: 2020-08-25 11:47:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bba600d7622cd16d831d4ee2449bbdad SHA-1: 3450156580dc686a7c8ff64abed9d3897cc378e5 SHA-256: 83d7ccb94a3e75a8f8f974de51256cebdabbe309a0087018e2cc85baf46ba65e
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, 'https://ttraff.com/pify?keyword=angry+birds+transformers+apk+mod+2019', is the primary indicator of malicious intent, likely serving as a lure for further malicious activity. The document body, though heavily obfuscated, contains references to this URL and appears to be a social engineering attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=angry+birds+transformers+apk+mod+2019
    • http://kuxut.clemsonelementarypta.com/uploads/1/3/2/6/132682787/sominojesim.pdf
    • https://cdn.shopify.com/s/files/1/0433/0923/6374/files/c_form_haryana_apply.pdf
    • https://cdn.shopify.com/s/files/1/0431/1629/8393/files/cambridge_primary_science_learner_s_book_2.pdf
    • https://cdn.shopify.com/s/files/1/0428/0736/1703/files/wupezewatomegufibiza.pdf
    • https://cdn.shopify.com/s/files/1/0430/6855/5415/files/11141678096.pdf
    • https://cdn.shopify.com/s/files/1/0435/6934/8763/files/75825915920.pdf
    • https://cdn.shopify.com/s/files/1/0429/3551/7337/files/46724904675.pdf
    • https://cdn.shopify.com/s/files/1/0433/6926/7354/files/76673567908.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c39.bin
fadb02f7843185e416d2ad0abddd93da948cce27a340352db4fa4b5b9541d1cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C39 6104 bytes
font_01_sfnt_off000070e6.bin
be7833edf923b8d1431f47e2534d43420b370591cae53ab9150fb72f0961672f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70E6 10268 bytes
font_02_sfnt_off00008e3f.bin
4b287084ff01377aa9bf7e68907f263f5b212aea60547b92d30e99e33e2d11c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E3F 16020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.